18th ICCRTS Cyberspace Integration within the Air Operations Center Topics: Approaches and Organizations; Collaboration, Shared Awareness, and Decision Making; Cyberspace Management Authors Bradley A. Rueter, Major, US Air Force (STUDENT) Robert F. Mills, PhD Jonathan W. Butts, Major, USAF, PhD Air Force Institute of Technology Wright-Patterson AFT OH

Point of Contact Dr. Robert F. Mills Department of Electrical and Computer Engineering Air Force Institute of Technology 2950 Hobson Way Wright-Patterson AFB OH 45433-7765 937-255-3636 x4527 FAX 937-656-4055 [email protected]

1

Cyberspace Integration within the Air Operations Center

Abstract The Air and Space Operations Center (AOC) is the United States Air Force’s operational command and control (C2) platform for the planning and execution of Air, Space, and Cyber operations. Operational C2 of cyber forces is a significant challenge that impacts planning and integration of cyber operations at the AOC. The Joint Staff’s Transitional Cyberspace C2 Concept of Operations, released in March 2012, provides a cyber C2 framework at the Geographical and Functional Combatant Command level, but it is not clear yet how Air Force AOCs will work together to meet the requirements of the CONOPS or conduct cyber planning to support the needs of the Joint Force Air Component Commander. This paper summarizes the results of a mission analysis to identify the roles and responsibilities for cyber operations within the AOC, separating them from traditional J6/A6 responsibilities. Additionally, the Joint Staff CONOPS calls for significant “reach back” for planning, expertise, and potential execution of cyber capabilities; as such, the paper provides a discussion on how to facilitate globally linked, interoperable AOCs for cyber planning and execution.

2

Cyberspace Integration within the Air Operations Center Introduction This analysis will present the current situation for cyber in the United States Air Force (USAF), presenting the relevant organizations within the Component Numbered Air Forces (C-NAF), the Combatant Commands, and USCYBERCOM. Following the situation is a section dedicated to exploring the requirements that have been levied on the C-NAF with regards to cyber. Additionally, the Air Operations Center’s (AOC) internal processes is explored, to examine how cyber is integrated and synchronized with other effects, and ensure that critical AF-centric requirements are met. Finally, the last section will make a series of recommendations about how different organizations could be structured in order meet the cyber related requirements and build synergy amongst the AOCs.

Specific

recommendations for the C-NAF, AOC, and Cyber Operations Team are included, as well as recommendations to facilitate reach-back support to 24AF. Situation Since Cyberspace was declared a unique and separate domain in July 2011 the Department of Defense (DoD) has continued to refine what cyber operations means, what effects it can generate, and how to synchronize those effects within the larger scheme of maneuver [1].

Much progress has been

made thus far at the strategic and tactical levels of war, leaving the operational level struggling to define, deconflict, and institutionalize roles and responsibilities. The Joint Staff, USSTRATCOM, and USCYBERCOM have spent significant time formalizing the presentation of cyber forces, the global and regional command and control (C2) of these forces and the resulting complexity that comes from a desire for timely regional effects but requiring global deconfliction [2]. Additionally, at the tactical level, cyber forces have made great strides in the development and fielding of various capabilities, the documentation and refinement of Tactics, Techniques and Procedures (TTP), and for the USAF, integration with air assets in exercises and the Weapons Instructor Course (WIC) [3]. The combination of new strategic guidance and great tactical strides has left the C-NAFs to struggle with general roles and responsibilities, as well as the planning, integration, deconfliction, and

3

operational C2 of cyber effects at the operational level of war. The expectations for the Combatant Commands (CCMD), as articulated in the Joint Staff Transitional Cyberspace Operations Command and Control Concept of Operations, generally requires the CCMD to have situational awareness of their networks, to coordinate network defense, and coordinate offensive cyber operations [4]. These CCMD requirements necessitate information from their components, so that sensor data can be aggregated to produce Area of Responsibility (AOR) wide situational awareness. Additionally, most defensive cyber operations must be standardized and coordinated so that offensive operations are properly deconflicted with other units, agencies and departments. The Components likewise owe the tactical level executors the commander’s intent, rules of engagement, special instructions, tactical tasks, and generally a feasible plan for the employment of their respective weapon systems. Tactical units expect that operational planners have already integrated cyber into the larger scheme of maneuver, synchronized effects, garnered appropriate authorities, and are prepared to provide operational C2 of cyber forces.

With robust

expectations from the strategic level (above) and from the tactical level (below), the C-NAFs must take significant steps to mitigate the current gaps. One fundamental challenge for the C-NAF Commanders is that he/she wears multiple hats, as the Commander of Air Force Forces (COMAFFOR) and (usually) Joint Forces Air Component Commander (JFACC), and thus also has multiple staffs. The Air Force Forces (AFFOR) Staff and the AOC each have inherent cyber equities and responsibilities. The Intelligence (A2), Operations (A3), Plans and Requirements (A5), and Communications (A6) directorates are the principle stakeholders on the AFFOR staff. With the COMAFFOR hat, the commander is responsible for the sustainment of Air Force forces, generally thought of as “beds, beans, and bullets” which are critical to the successful accomplishment of operational missions. The COMAFFOR requires C2 nodes to assist in exercising command authorities, and when it comes to Service responsibilities (like sustainment) the AFFOR staff exercises operational and administrative control. The AFFOR staff’s function is to support and assist the COMAFFOR in preparing the Air Force component to carry out the functions and tasks assigned by the Joint Force Commander (JFC), and through which the COMAFFOR fulfills his/her operational and administrative

4

responsibilities for assigned and attached forces, and is responsible for the long-range planning and theater engagement operations that occur outside the air tasking cycle (e.g., deliberate planning) [5]. The AFFOR Communications Directorate (A6) is the principal staff assistant to the COMAFFOR for communications, electronics and information capabilities. This includes establishing the theater communications and automated systems architecture to support operational and command requirements [5].

The AFFOR/A6 is generally responsible for the communications infrastructure, engineering,

installation, and maintenance of computer networks, which could also include a Network Operations and Security Center (NOSC), and many other functions beyond the scope of this analysis.

With the

consolidation and centralization of most USAF NOSCs into Integrated NOSC (I-NOSCs) most C-NAFs won’t have their own NOSC, but will rely on the assigned I-NOSC for day-to-day network operations and security [6]. Within the AFFOR, A2 (Intelligence), A3 (Operations) and A5 (Plans and Requirements) also have significant cyber equities that usually revolve around offensive cyber operations, but require due consideration. In general, the AFFOR staff must develop a habitual working relationship with the AOC to fulfill the COMAFFOR’s full range of responsibilities and to integrate staff efforts with the AOC battle rhythm, this holds particularly true for cyber as well [5]. The COMAFFOR normally uses some form of an AOC to exercise control of operations and to plan, direct, and assess the activities of assigned and attached forces [5]. The AOC provides operationallevel C2 of air, space, and cyberspace operations, and is the focal point for planning, directing, and assessing air, space, and cyberspace operations to meet JFACC operational objectives and guidance [7]. Currently, cyber in the AOC is primarily focused on integrating and synchronizing offensive cyber effects with other effects to achieve military objectives. The AOC is uniquely suited to do this planning and integration, but is generally challenged in cyber as there are relatively few operational planners that understand how to plan and integrate cyber effects into the larger scheme of maneuver. Thus far, the discussed cyber equities have been largely Air Force specific, but the Joint Staff Transitional Cyberspace Operations Command and Control Concept of Operations (CONOPS) adds several additional players that must be addressed. This CONOP mandated each CCMD establish a Joint

5

Cyber Center (JCC) within their staff organization. Each JCC is the focal point for cyber command, planning, operations, intelligence, targeting, and readiness for each CCMD. The Joint Staff CONOPS also makes it clear that “providing all cyber support forward in CCMDs [AOR] is neither feasible nor desirable” and that many cyber capabilities would be provided solely through reach-back. Finally, some capabilities supporting synchronization must be forward deployed [4]. The CONOPS also introduces the Cyber Support Element (CSE) construct that is designed to be the USCYBERCOM liaisons to the CCMD. As required, the CSE would deploy to and be collocated with the JCC. The JCC would continue to represent the Geographic Combatant Commander, as the supported commander and the CSE would leverage their expertise and USCYBERCOM reach-back to support the Commander’s objectives. This organization is shown in Figure 1 [4]. Ostensibly, this arrangement would have no impact on the C-NAF, as the AFFOR and AOC cyber personnel would continue to work with the JCC as normal. However, each CCMD is different, and effects-integration and deconfliction may be delegated to a Component.

USCYBERCOM has also

developed a team called the Expeditionary Cyber Support Element (exCSE) which is meant to augment the CCMD Components at their respective C2 nodes or headquarters. The exCSE is subordinate to the CSE and is comprised of USCYBERCOM personnel. This has particularly impact for AOCs, as the JFACC is likely to be the lead effects integrator, or at the least has sufficient equities to warrant an exCSE. The AOC must understand what the exCSE is, what it can provide, what it isn’t, and must be prepared to share the same spaces with these liaisons. It is important to note the difference between augmentees and liaisons in terms of AOC manpower. Augmentees are additional personnel that are assigned to the AOC, and ultimately work for the JFACC. They bring special knowledge or skills to the AOC team whenever needed. Liaisons are representatives of other component commanders and do not work for the JFACC [8]. Liaisons are an integral part of an AOC, but their marching orders ultimately come from someone other than AOC leadership. The CSE, to include the exCSE, are liaisons to the CCMD and its components respectively

6

and thus should not be considered the primary cyber planners. The AOC should have organic cyber planners with whom the exCSE is liaising. Because cyberspace is global, all other C-NAFs must understand and work with AFCYBER/24 AF, which is the USAF component to USCYBERCOM. AFCYBER is generally expected to prepare for “full-spectrum military cyberspace operations” which breaks down to three Lines of Operation; DODGlobal Information Grid (GIG) operations, defensive cyberspace operations (DCO) and offensive cyber operations (OCO). On the defensive side, AFCYBER is tasked to support the CCMD with reach-back support by directing and enabling operations and defense of the CCMD and subordinate DOD GIG networks, to recommend and enable local network access and defense actions, assist with local compliant measures, monitor CCMD and subordinate network events, and finally coordinate cyberspace defense among the CCMD, its components and external support elements [4]. One of AFCYBER’s responsibilities is defending the USAF portion of the DOD’s networks, which parallels the responsibilities of the AFFOR/A6 as discussed above. From a service perspective, the 24AF must also defend the AFNet, the Air Force provisioned portion of the GIG, which is the global connectivity and services that enable Air Force commanders to “achieve information and decision superiority” in pursuit of strategic, operational, and tactical objectives [9].

Of the three Lines of

Operation detailed in the Joint Staff CONOPS, each requires specific information from the C-NAF to ensure the AFNet is providing and prioritizing the proper services (mission assurance), that the network’s defense posture is responsive to the current threat, and that offensive operations meet the objectives of the Joint Force Commander and JFACC. While AFCYBER/24AF has these tasks, the regional C-NAF has a significant responsibility in providing the operational and regional context to AFCYBER/24AF, without which the AFCYBER/24AF forces are making the best decisions they can and generally without the context that the mission owner has. The 24AF has an AOC C2 node, called the 624th Operations Center, (624OC) which executes C2 for the subordinate wings and specifically the aforementioned I-NOSCs (Figure 2) [10]. The 624OC and the regional AOCs perform almost identical functions for their respective AORs. The 624OC follows the

7

same ATO process as other AOCs and has the same organizational structure, which should make cross communication very easy. To facilitate communication, the regional AOCs can request a Cyber Operations Liaison Elements (COLE), provided by AFCYBER/24AF, to work within the regional AOC to provide cyber planning and operations expertise and serve as the 24th AF Commander’s and the 624OC’s senior representatives in theater [10] [7]. It is unclear at this time whether the COLE is viable considering USCYBERCOM’s exCSE construct which seems to create redundancy. In summary, there are many different organizations with substantive cyber equities that must be included in order for the AOC to meet the JFACC’s objectives. At the operational level, the AOC must work with its associated AFFOR staff, the 624OC and 24AF planners. At the strategic level, the Combatant Commander’s JCC will provide guidance and required inputs.

When necessary,

USCYBERCOM will deploy their CSE to collocate with the JCC, but may also send an exCSE to work at the AOC. With so many stakeholders, roles and responsibilities must be clearly defined; the requirements for cyber stakeholders will be analyzed next, in hopes of identifying natural seams around which roles and responsibilities can be developed. Requirements There are many sources for requirements when it comes to cyber, but in order to maintain focus on the AOC and its role in cyber operations, this study focused on requirements pertinent to the planning and execution of cyber operations. This means that there are many other requirements and regulations that govern the engineering, installation, and maintenance of network infrastructure that are not included herein. In a C-NAF, these infrastructure related tasks fall to the A6, and since this analysis does not include those infrastructure tasks, it may appear that the AFFOR is undertasked, which would be an unfair assessment [5]. The goal is to identify the operational tasks that must be accomplished by the C-NAF and which organizations have equities in those tasks; ultimately identifying roles and responsibilities within the C-NAF. To accomplish this mission analysis, a document review was conducted on Joint guidance, Air Force Doctrine, Air Force Instructions, Air Force Policy Documents, and Air Force Tactics, Techniques,

8

and Procedures. These tasks are aggregated and distilled into distinct mission areas, and are provided in Table 1. The Joint Staff Transitional Cyberspace Operations C2 CONOPS specifies tasks for USSTRATCOM, USCYBERCOM and its Components, Geographical and Functional CCMDs and their respective Joint Cyber Center. The Air Force overarching doctrine for cyberspace operations is encapsulated in AF Doctrine Document (AFDD) 3-12, and highlights that cyberspace operations are “not synonymous with information operations (IO)” but that cyberspace can directly support IO;” this is a key consideration in defining roles and responsibilities inside a C-NAF. Mission Assurance is also identified as an important cyber task that requires the mission owner to prioritize essential functions, map these missions and their dependencies against cyberspace, and thereby identify the associated vulnerabilities and potential mitigation strategies [11]. Finally, per AFI 13-1AOC volume 3, the AOC is required to provide cyber planning and operations expertise in order to coordinate and synchronize cyberspace operations activities with other domains, to include the IO Team. The regional AOC is tasked to reach-back to 624OC for planning, indications and warnings, defended asset list development and C2 support and deconfliction. Additionally, the AOC is charged with communicating Joint Force Commander’s requirements to 24AF and the 624OC.

Finally, the AOC is to ensure all cyber tasking are deconflicted, integrated and

coordinated into the Air Tasking Order (ATO). These tasks are numbered according to the functional area where 1.0, 1.1, 1.2, etc., are all similar tasks from different sources, by grouping these tasks in this manner, the number of minimum essential tasks that the C-NAF must handle becomes more manageable.

The tasks are then mapped on a

communication flow diagram (Figure 3) to describe which organizations the C-NAF must work with, and what tasks/data must be provided. The tasks inside the AF Component box, which includes the AOC and AFFOR Staff, are processes and products that remain internal to the C-NAF, although the specific roles and responsibilities within the C-NAF aren’t yet defined. Also, within the AF Component block are the

9

liaisons, to include the exCSE, which are noteworthy because they will likely assist in many of these reporting functions. Abstracting down to the next level of the operational task view is focused on the roles and responsibilities within the AF Component (Figure 4). Here, the tasks are divided between the AFFOR and the AOC based on the task itself and the organization that is explicitly tasked or best suited to handle it. As was previously noted, this depiction shows significantly fewer tasks for the AFFOR than the AOC, but is missing the plethora of tasks required for infrastructure engineering and support. The intersection of the AOC and AFFOR circles is an area of particular interest, because it succinctly depicts the challenges that the C-NAF must overcome in order to handle all aspects of the cyber mission-set. AFTTP 3-3.AOC recommends the formation of a Network Defense Working Group (NDWG) as a cross-organizational body that can coordinate network defense across all stakeholders. The NDWG includes representatives of the AOC, NOSC, AFFOR/A6, Network Control Center (NCC) and others as required [8]. For the Network Infrastructure and passive defense tasks (green) in the intersection, no single organization has sufficient situational awareness, authority, or capability to identify the system vulnerabilities, assess enemy capabilities, determine mitigation strategies, assess mission risks, prioritize the mitigations based on mission impact, and implement a chosen course of action. A cross-organization entity like the NDWG, that includes Service and CCMD equities, is required to address these network defense gaps for the C-NAF. Of the many tasks remaining on the AOC side of the diagram, one is imminently important, 6.7 “ensure all cyber taskings are deconflicted, integrated, and coordinated in the ATO,” [7] although synchronization should be included as well. This singular task also represents the main purpose of the AOC, all of the internal process, working groups and boards ultimately lead the approval, publishing, and execution of the ATO.

The ATO is the core document that ensures effects are integrated and

synchronized. Not only airborne based effects are on the ATO; any effects that impact the air domain are included as well. In order to holistically evaluate the cyber-related requirements for the AOC, it is necessary to also evaluate the internal AOC process, at a minimum where cyber equities are anticipated.

10

For a complete review of the ATO process, reference AFI 13-1AOC volume 3 and AFTTP 33.AOC, but the most critical times for cyber are summarized here. A cyber planner, that understands the capabilities and limitations of cyber, must participate in the beginning Strategy discussion in order to lead turn reach-back requests for support and the formulation of intelligence collection requirements. During ATO production, only a trained cyber planner can match potential cyber effects against cyber delivery platforms, and express the capabilities and limitations to the other weapon-system planners. If the intelligence preparation is not sufficient, then the cyber planner may be forced to remove certain cyber weapons or platforms from the available list. While the previous steps are underway, the Intelligence, Surveillance, and Reconnaissance Division (ISRD), in coordination with the CCMD, USCYBERCOM and other agencies, will be conducting intelligence preparation of the operational environment, enemy analysis, developing a collection plan, and target development, which is currently the greatest challenge to integrating cyber into the ATO [7] [12]. Finally, execution presents challenges as offensive cyber capabilities aren’t usually deployed to the AOR and may not belong to the USAF. However, controlling operational timing and tempo are key elements to synchronizing effects for air-centric offensive or defensive operations. Furthermore, unlike the Integrated Air & Missile Defense forces, the JFACC doesn’t necessarily have Operational or Tactical control over all the entities necessary to mount an effective cyber defense. A habitual relationship and practice with the 624OC and the JCC is essential to ensuring timely coordination and responsive reachback. This exact problem arose during several AF exercises in the recent past, and one mitigation proposal is a Defensive Cyber Operations-Tactical Coordinator (DCO-TC), which is fundamentally a liaison from the 624OC that has sufficient authority, from 24AF, to directly task Service organizations, like the I-NOSC, AF Computer Emergency Response Team, or base-level network control center, to coordinate cyber defense. This method puts the necessary Service authorities at the disposal of the Joint Force without losing the operational context or confusing the chains of command [13]. In summary, there are many cyber-related requirements and expectations levied on the C-NAF from a variety of sources. Fortunately, when aggregated and analyzed, these requirements can be grouped

11

and organized into a manageable set of minimum essential tasks. The singularly most important task for the Air Component is the integration and synchronization of cyber into the ATO, which is a very involved process and requires cyber-savvy planners at many different levels in the AOC to ensure success. The cyber challenges peak in the execution phase because of the disparate organizations across the AOR (or globe) that have vital data and no easy mechanism to share it and thereby enhance the AOC’s situational awareness. Clearly defining roles and responsibilities, and developing a suitable organizational structure are the first challenges that the operational level must overcome. Recommendations Establish a Cyber Center at the C-NAF Level. The first recommendation, and the basis for the subsequent ones, is that the USAF should seek to parallel the organization outlined in the Joint Staff Transitional Cyberspace Operations C2 CONOPS. Just as the CCMD has a Joint Cyber Center, the AF Component should establish a parallel entity, one that stretches across the AFFOR Staff and AOC boundaries. This office is the lead for cyber in the AF component, and it provides a single focal point for the JCC to work with. The JCC has liaisons from USCYBERCOM (the CSE); likewise the C-NAF Cyber Center has continual liaisons from AFCYBER/24AF in the form of 624OC/I-NOSC representatives, and when necessary can still request a COLE from AFCYBER/24AF. During an exercise or contingency, the CSE embeds with the JCC and reaches back to USCYBERCOM, similarly, USCYBERCOM will likely provide an exCSE to the Air Component, or the COMAFFOR can request a COLE. By paralleling the design at the strategic level, lines of communication and roles begin to take shape. The JCC concept is fundamentally about bridging the equities that each directorate has and providing a common framework for addressing cyber issues. The AF component can garner the same benefits by adopting a Cyber Center setup that bridges the equities of A2, A3, A5, A6, and the AOC. The C-NAF Cyber Center will also serve to remove redundancy between cyber liaisons, clarify the lines of communication and streamline tasking and integration within the Air Component. The challenge is in aligning and synchronizing actions across the many staff elements. C-NAF staffs work extensively across the directorates on a routine basis for a variety of functions, but not usually cyber. Each C-NAF needs to

12

build a Cyber Center construct and divide the roles and responsibilities according to their specific needs. Furthermore, communications with the CCMD will become easier and normalize when there is a single C-NAF Cyber Center, regardless of how its personnel are matrixed across the staff. The AFFOR A2, A3, A5 will continue to work CONPLAN development as they normally would, but by identifying the cyber planners for each directorate and binding them under the C-NAF Cyber Center, the cyber aspects of the CONPLAN will improve drastically. Also, a more robust intelligence reporting and A6 response for cyber is critical to developing an integrated network defense posture. In many C-NAFs, these functions are primarily handled by 24AF entities (I-NOSC, 624OC, etc.) but as mentioned above, these organizations generally lack the context which is important to the C-NAF commander. The C-NAF Cyber Center is poised to tackle this with tighter meshing of A2, A3 and A6 but also including 24AF representation. Finally, the A3 and A6 responsibilities overlap in the area of Network Defense rules of engagement, the development of flexible response options, and the codification of these policies for the tactical units. At the nexus of the AFFOR staff’s overlapping responsibilities is the Director of Cyber Forces (DIRCYBERFOR). The DIRCYBERFOR is a fundamental position in the C-NAF Cyber Center, he/she provides unity of command and a single voice to the CCMD, and COMAFFOR on cyber planning, integration, and execution.

The inherent challenge for the DIRCYBERFOR will be to bridge the

communications and operations tribes and provide a unity of purpose. A potential good match of the DIRCYBERFOR is the deputy A6 and deputy A3 positions that can unite the tribes.

The

DIRCYBERFOR position, if adopted should also be afforded formal training similar to what the Director of Mobility Forces receives from Air Mobility Command. The lead command for identifying training requirements for the DIRCYBERFOR should be 24AF, as the DIRCYBERFOR will play a significant role in coordinating reach-back support for the C-NAF. Additionally, the DIRCYBERFOR will play an integral role in the AOC, where the current director positions, Director of Mobility Forces (DIRMOBFOR) and the Director of Space Forces (DIRSPACEFOR), advise the JFACC/COMAFFOR on issues in their unique enclaves. The directorships

13

were meant to provide augmenting advice for a JFACC that may not be well versed in Mobility or Space capabilities and limitations. From this precedent, a DIRCYBERFOR position certainly has merits of its own, and USAFCENT has already instituted at DIRCYBERFOR for the 609 AOC in Southwest Asia. Establish an AOC Cyber Operations Teams. Every C-NAF will be approach this Cyber Center differently, based on manpower, expertise and roles, but the AOC is an integral part of the C-NAF Cyber Center, and must be prepared to perform a bulk of the tasks during exercises and contingencies, when the AFFOR staff is focused on “beans, bullets, and beds.” Furthermore, each C-NAF has missions and focuses that are unique to their AOR, which inevitably means that each C-NAF will have different manning requirements which will need to be addressed. Thus, the next level that requires organizational analysis is the AOC itself, the robust cyber requirements, as outline above, cannot be adequately met by a network warfare cell buried inside of the information operations team (IOT) as currently outlined in the regulations [7]. As seen in Figure 4, the AOC has many tasks centered on coordinating defense, planning and executing offense, and the intelligence actions to support both. These general tasks take many manhours of planning to be ready for execution, coupled with the mandate of robust ATO integration, the loose collection of cyber planners than an AOC may currently have must be solidified into an organization that best suites the AOC and the emerging requirements of cyber. There are three primary archetypal organizations within the AOC, a division, a director’s staff, and a team. Extensive analysis was conducted on how cyber personnel could be organized under each of these archetypes. The resulting organizational structures were then graded on their relative merits in the areas of manpower use, cross-divison integration, and autonomy to focus on cyber issues. In general, a division requires administrative overhead and manpower that the other organizational structures do not, and could serve to further stove-pipe cyber instead of integrating it across the AOC. The director’s staff framework will face the same challenges as the Director of Space Forces does now, with each cyber planner working for their respective Division Chief, and the DIRCYBERFOR will be challenged to exercise significant influence over cyber planning processes, and will find it difficult to synchronize efforts throughout the ATO cycle. Finally, AOC specialty teams work across the various division to plan,

14

integrate, and ensure their equities are accounted for. The Cyber Operation Team would be on the same level as the other teams, but also have additional backing and guidance from the DIRCYBERFOR. The cyber operations teams includes all of the cyber planners in the AOC; and work for a team leader that ensures proper representation in strategy meetings, ATO production meetings, as well as ensure sufficient representation on the “floor” to coordinate execution of offensive and defensive cyber effects. Of the three organizational types, the team makes the best use of manpower while being able to focus almost exclusively on cyber issues. The team structure also addresses cross-division integration quite well, as long the team stays engaged with the ATO cycle.

Comparing the relative merits of these three

organizational paradigms, and while each AOC will have unique needs in this regard, the Cyber Operations Team best balances impact with personnel. Given the relative merits of the Cyber Operations Team (COT) over the other paradigms, the exact organization of the team still requires attentions, especially when reminded of the all the tasks that fall to the AOC. The COT is led by a team chief that reports directly to the AOC Commander. The team chief has the unenviable task of ensuring that cyber is integrated and planned from the first strategy meeting through the execution phase. It is natural to divide the work between offense, OCO, and defense, DCO. As shown in Figure 5, the COT must have planners dedicated to OCO and DCO; these planners will begin planning with the Strategy Division but also carry forward to the Combat Plans Division for targeting effects, and master attack planning. The AF-wide lack of cyber experts is an unavoidable issue with this construct; putting greater responsibility upon a relative few number of AOC planners emphasizes the need for a thoughtful, deliberate assignment process. In order for this to work, the manpower functional and the AOC should be concerned with getting the right individual to shoulder these responsibilities, else this construct will be counterproductive to cyber integration writ large. Also, the number of planners needed for this will depend greatly on the operations tempo of the region, but the emphasis for the foreseeable future should be on defense. The DCO planner will also be the lead of the Network Defense Working Group (NDWG). The NDWG should be the primary reoccurring briefing that the DIRCYBERFOR receives; it provides the

15

needed focus on bridging A2, A3, and A6 planners with the AOC.

Additionally, the AOC

Communications Team (ACT), which is usually a sub-unit of the AFFOR/A6 should attend in order to discuss hardening and defending the AOC systems themselves. The DIRCYBERFOR may decide to chair the NDWG for several months in order to provide it the proper vector and get firsthand accounts of the challenges for each of the staff elements. The NDWG is also the primary entry point for 24AF support, initially in the form of the servicing I-NOSC and later with select parts of the 624OC, which will be discussed later. The DIRCYBERFOR will likely find that the NDWG will raise issues that will require significant O-6 level discussions between directors within and without the C-NAF. If done correctly, by “baking-in” cyber during the initial strategy meetings, the local ISRD and 624OC/ISRD will have sufficient lead time to gather sufficient intelligence to build target folders. This is the primary role of the Target Planner, a trained intelligence airman with sufficient cyber background to manage the cyber targets, identify intelligence shortfalls, and prioritize requests based on the OCO and DCO planner’s needs. As discussed above, the targeting process for cyber is still rather immature and depending on the CCMD requirements may be the single largest hurdle for the COT to tackle. Finally, the execution portion of the ATO cycle must be adequately addressed for the addition of cyber capabilities. Combat Operations Division is basically divided into offensive operations, defensive operations, and intelligence teams, with a variety of specialty teams providing inputs as required (Figure 6). The COT should be staffed with an OCO and a DCO duty officer and have a continuous presence on the floor sitting near or with their respective counterparts. The DCO duty officer is also the perfect location for DCO-TC, as described above, to provide AF Service level defensive capabilities without delay and in full coordination with theater forces controlled by the DCO Duty Officer. The DCO-TC is a liaison however, and should not be expected to C2 forces assigned to the Combatant Commander. Manage Expectations for/with Liaisons. With regards to cyber liaisons from USCYBERCOM or 24AF, the COT provides a seamless organization for them to liaison with. The exCSE or COLE Chief would be the natural counterpart to the Cyber Operations Team Chief, and they would jointly decide where and when each of the liaison-team-members should work. The COT should be prepared to double

16

in size when an exCSE arrives and should already understand what an exCSE can offer in terms of reachback support.

Additionally, the DIRCYBERFOR should have recurring communications with the

USCYBERCOM CSE lead and discuss roles, responsibilities, and expectations of the exCSE before they arrive at the AOC. Establish a Regional Structure within the 624OC. As the CCMDs begin to solidify their JCC and associated processes, it is likely that more will be expected from the components in terms of cyber planning, reporting, and situational awareness. As the pressure increases on the geographic C-NAFs, AFCYBER/24AF will see increased requests for reach-back support, to augment the situational awareness and capabilities that the geographic C-NAFs don’t have access to or don’t have the expertise to handle. One crucial part of the C-NAF Cyber Center will be to coordinate with their 24AF counterparts to ensure a unified message from the AF components to their respective CCMDs. This should hold true for the AOC functions as well, and the 624OC must be postured and organized to facilitate the necessary reach-back support. A fundamental aspect of reach-back support that will frustrate the supported and supporting AOCs a like is an inevitable lack of context outside of the AOR. In order for the 624OC to make the right decisions and provide the right support, they must have context on what is going on in theater. This is achieved in two ways; the first is 624OC personnel must develop a concept of “normal” for that particular region. “Normal” network traffic looks a certain way, attacks usually occur from a particular vector and seem to be targeting certain things. Without a concept of “normal”, the 624OC will not be able to provide the indications and warnings that their counterparts need. The 624OC/ISRD is divided up regionally; they have specific people concentrating on specific regions of the world. They provide intelligence analysis and can provide context to leadership when it deviates from normal. The rest of the 624OC divisions are not organized regionally, and thus have no baseline for “normal” in the AORs. The 624OC should make an effort to divide itself into Mission Area Teams, one team that includes members from every division for each Geographical Combatant Command. ISRD should provide recurring intelligence briefs to all members of the Mission Area Team and as the team members build context and make contact

17

with their regional AOC counterparts, other divisions can brief pertinent details that aid in developing context. Implement Globally Linked, Interoperable AOCs. The second recommendation that will help the 624OC gain and maintain regional context, is to build habitual relationships with their AOC counterparts. Meetings between the COTs and Mission Area Teams should occur at a bi-weekly basis via secure teleconference. The team leaders will have to decide what topics are appropriate to share between supported and supporting AOCs, but mutually increasing situational awareness and providing context is worth the additional man-hours. The COTs within each regional AOC then need to communicate the “cyber tribe’s” understanding of the threats to the rest of the AOC planning team. Creating a closed door, “cyber only” process should be aggressively avoided. This habitual relationship will make reach-back during contingencies and exercises feasible, ensuring that both organizations understand the battlerythm, capabilities and limitations of the other beforehand. This relationship will also make sourcing a COLE or exCSE easier, as some 624OC personnel are already familiar with the AOR and its respective challenges. The maturing of globally linked interoperable AOCs may be more compelling for 24AF leadership than simple the fostering of context and situational awareness, the 24AF needs help with one of their primary tasks, Mission Assurance. Addressing mission assurance for the USAF cannot be accomplished without the mission owners, but the mission owners don’t necessarily understand the term, what it means to them, or why they have such a critical role. Fostering communications between AFFOR staffs and AOCs will greatly help the 24AF in beginning to tackle the mission assurance problem. Mapping the AOC missions to required infrastructure may be a feasible first step in understand the larger mission assurance problem-set, and habitual working relationship between AOCs is a necessary first step. In summary, the C-NAFs need to adopt an organizational structure that provides unity to the CCMD and sister services in terms of cyber. The C-NAF Cyber Center mirrors what the CCMDs are adopting, and thus makes for an easy transition. The C-NAF Cyber Center must bridge the AFFOR Directorates and the AOC, and this is most likely achieved through a Director of Cyber Forces. The AOC is a vital part of the C-NAF Cyber Center, and should reorganize its cyber personnel into a Cyber

18

Operations Team, with the autonomy to plan offensive and defensive cyber while the DIRCYBERFOR ensures all the of C-NAF’s cyber equities are included. The Network Defense Working Group is critical to breaking down organizational stove-pipes and solving the tough problems of defending the AFNet and other constructed networks. Finally, the 624OC should consider forming teams for each Geographic Combatant Command that spans each of the 624OC divisions. The Mission Area Teams should build their situational awareness on normal network operations and begin habitual working relationships with their regional AOC counterparts. Finally, these relationships can help 24AF begin to understand the mission assurance problem space. Conclusion Through this analysis, the current situation was presented with regards to cyber players in a CNAF, the CCMD, and USCYBERCOM to include the CSE, exCSE, and AFCYBER. Additionally, the plethora of operational cyber-related tasks and requirements were discussed and aggregated, further defining the requirements the C-NAF must meet, with particular emphasis on cyber integration with other assets, manifested in the ATO. Finally, a series of organizational recommendations were offered in order for the C-NAF, the AOC, and ultimately the Cyber Operations Team to meet all of the expectations for the C-NAF. Additional recommendations for the 624OC were offered in order to facilitate globally linked, interoperable AOCs.

The views expressed in this paper are those of the authors and do not reflect the official policy or position of the United States Air Force, the Department of Defense, or the United States Government.

19

References [1] Department of Defense, "Department of Defense Strategy for Operating in Cyberspace," 2011. [2] Secretary of Defense, Memorandum for Commanders of the Combatant Commands, 2012. [3] K. Lustig, "Weapons school integrates cyber warfare," 16 06 2012. [Online]. Available: http://www.af.mil/news/story.asp?id=123304225. [Accessed 10 01 2013]. [4] Joint Staff, Joint Staf Transitional Cyberspace Operations Command and Control Concept of Operations, 2012. [5] LeMay Center/DDS, Air Force Doctrine Document 1, 2011. [6] Air Intelligence Agency Public Affairs, "Air Force stands up first network warfare wing," 05 07 2006. [Online]. Available: http://www.af.mil/news/story.asp?id=123022799. [Accessed 07 02 2013]. [7] Air Force Instruction 13-1 AOC, Volume 3, change 1, 2012. [8] AFTTP 3-3.AOC, 2007. [9] HQ USAF/A3/5, Air Force Policy Directive 13-3, 2008. [10] 624 OC, Concept for the 624th Operations Center (OC), 2010. [11] LeMay Center/DDS, Air Force Doctrine Document 3-12, Change 1, 2011. [12] S. J. Smart, "Joint Targeting in Cyberspace," Air and Space Power Journal, pp. 65-75, 2011. [13] 561st Joint Tactics Squadron, Flash Bulletin 12-12: Defensive Cyber Operations - Tactical Coordinator Planning and execution, 2012. [14] 8AF, Concept of Cyber Warfare, 2007. [15] 561st Joint Tactics Squadron, Tactics Bulletin 2011-02: Non-Kinetic Operations Coordination Cell, 2011.

20

Appendix A Tables and Figures

Figure 1: Strategic Cyber C2 [4]

Figure 2: 24AF Command and Control [10]

21

Table 1: C-NAF Cyber Tasks # 1.0 1.1 1.2 1.3 1.4 2.0 2.1 2.2 2.3 3.0 3.1 3.2 3.3 4.0 4.1 4.2 5.0 5.1 5.2 5.3 5.4 6.0 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 7.0 7.1 8.0 8.1 8.2 9.0 9.1 9.2 9.3 10.0 10.1 10.2

Air Component Tailored Tasks Network infrastructure and passive defense Operate and Defend tactical or constructed networks within component Form, facilitate and allocate personnel to the Network defense working group (NDWG) Liasison with NetOPS (MAJCOM NOSC, local NCC) NetD Directly supports JFACC theater forces Report tactical and/or constructed network info to JCC Monitor AOR (component) Network events Assist AFOSI with NetD Coordinate Computer network defense (CND) in the NOSC, A6, NCC and AOC Analyze network activity; determine COAs to protect, detect and react to threats Provide mission assurance & critical cyber infrastructure protection analysis/planning to JCC Produce/update the risk assessment for AFFOR networks (TACS..to include the AOC) Focal point for AOC network threat assessment Mission Assurance Recommend CyberCondition (INFOCON) Recommend CyberCondition (INFOCON) Recommend Security posture for AOR Planning and Execution of Cyberspace operations (OCO and active defense) Implement CCDR cyberspace strategy and planning guidance Plan NetA, NetD, and NS for air component objectives provide cyber planning and operations expertise Develop & integrate cyber ops planning into OPLANS/CONPLANS Coordinate and synchronize cyberspace operations activities with air and space operations Plan and control OCO within assigned mission sets Planning and execution of NWO missions for air campaign Coordinates cyberspace ops via JCC Assist JCC in plan/control/direct of OCO within AOR Recommend effects of adversary networks and telecommunications systems Examine Adversary networks to identify critical and vulnerable links and nodes Assist JCC with timing, tempo, and integration of CCDR cyber ops Ensure all cyber taskings are deconflicted, integrated, and coordinated into ATO Coordinating and integrating cyber capabilities with the IO team and Net Warfare Planners Work with STO planners Work with STO team Submit OPE objective and desired effects to JCC Inputs to JCC for OPE to meet CCDR intent Inputs to JCC to build JIPOE and TSA products Intel Coordinate, synch, integrate cyber-related intel and anlaysis into operational plans Work with NOSC, AFFOR/A6, AFOST, ISRD the IO team and agencies to identify adversary threats and blue vulnerabilities Reachback to outside agencies to identify adversary capabilities and threats against AOC information systems Reach back for planning, indications and warnings, defended asset list development, C2 support and deconfliction Submit targets to JCC ISO plans and operations Follow CCDR objectives, guidance, and intent for targeting cycle and prioritize targets Nominate targets for CTL and JIPTL

Publication

Page(s)

JS C2 AFTTP 3-3.AOC AFTTP 3-3.AOC AFTTP 3-3.AOC JS C2 JS C2 AFTTP 3-3.AOC AFTTP 3-3.AOC AFTTP 3-3.AOC JS C2 AFTTP 3-3.AOC AFTTP 3-3.AOC AFDD 3-12 JS C2 AFTTP 3-3.AOC AFTTP 3-3.AOC

10 8-13 8-11 8-12 12 13 8-11 8-13 8-12 12 8-13 8-12 7 13 8-11 8-12

JS C2 AFTTP 3-3.AOC AFI 13-1AOCv3 JS C2 AFI 13-1AOCv3 JS C2 AFTTP 3-3.AOC JS C2 JS C2 AFTTP 3-3.AOC AFTTP 3-3.AOC JS C2 AFI 13-1AOCv3 AFI 13-1AOCv3 JS C2 AFI 13-1AOCv3 JS C2 JS C2 JS C2

10 8-11 108 12 108 10 8-12 12 10 8-12 8-12 11 108 107 11 108 10 13 13

JS C2

13

AFTTP 3-3.AOC

8-13

AFTTP 3-3.AOC

8-13

AFI 13-1AOCv3

107

JS C2 JS C2 JS C2

11 11 11

22

Figure 3: Operational Task view (top)

Figure 4: Operational Task View (intermediate)

23

Figure 5: Cyber Operations Team

Figure 6: Combat Operations Division

24

Appendix B Acronyms 624OC AFDD AFFOR AFI AFNet AFTTP AOC AOR ATO C2 CCMD C-NAF COLE COMAFFOR CONOPS CONPLAN COT CSE DCO DCO-TC DIRCYBERFOR DIRMOBFOR DIRSPACEFOR DoD exCSE GIG I-NOSC IO IOT ISRD JCC JFACC JFC JIPTL JPG NCC NDWG NKOCC NOSC OCO OPLAN TTP USAF WIC

624th Operations Center Air Force Doctrine Document Air Force Forces Air Force Instruction Air Force Network Air Force Tactics, Techniques and Procedures Air Operations Center Area of Responsibility Air Tasking Order Command and Control Combatant Command Component Numbered Air Force Cyber Operations Liaison Element Commander of Air Force Forces Concept of Operations Concept of Operations Plan Cyber Operations Team Cyber Support Element Defensive Cyber Operations Defensive Cyber Operations - Tactical Coordinator Director of Cyber Forces Director of Mobility Forces Director of Space Forces Department of Defense Expeditionary Cyber Support Element Global Information Grid Integrated Network Operations and Security Center Information Operations Information Operations Team Intelligence, Surveillance, Reconnaissance Division Joint Cyber Center Joint Forces Air Component Commander Joint Force Commander Joint Integrated Prioritized Target List Joint Planning Group Network Control Center Network Defense Working Group Non-kinetic Operations Coordination Cell Network Operations and Security Center Offensive Cyber Operations Operations Plan Tactics, Techniques and Procedures United States Air Force Weapons Instructor Course

25